Hackers break into and empty Cash App accounts
Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reporting on the dark underbelly of the internet.
Hackers are breaking into unsuspecting victims’ Cash App accounts, a hugely popular payment app, and stealing hundreds of dollars, according to victims Motherboard spoke to. In one person’s case, they said, Cash App has not reimbursed them for the stolen funds.
“It is scary!” Liz Shelby, who said their son was a victim of the hacking, told Motherboard in an online chat. “My son saved up some money for a little holiday with his grandmother. We put it into his Cash app before he left. He called me on August 9 and told me his money was gone.”
Shelby said that after she looked at the account, she found that someone else had logged into it and sent them the money. Shelby said she has emailed Cash App support, without success.
“I’m getting nowhere and I’m sure my son will never get the money back,” she added.
Do you know anything else about Cash App, Venmo or similar scams? We would love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox or email [email protected]
Cash App is one of the most popular payment service apps, with over 50 million downloads from the Google Play Store. Cash App also gained some notoriety for large cash giveaways on social media. The app is owned by the payment services company Block, which was formerly known as Square. Jack Dorsey runs the company.
Marvis Herring, another target, told Motherboard that hackers attempted to steal $1,400, in two installments of $700. In those cases, Herring believes that his bank blocked the fraudulent transactions.
Motherboard saw many other people reporting on social media that their Cash App accounts had been compromised in some way.
Sign up for Motherboard’s daily newsletter for a regular dose of our original reporting, plus behind-the-scenes content on our biggest stories.
“The main thing I thought was weird is that I went to change my account password, and there really isn’t a password for Cash App accounts,” Herring added. When users register on the Cash App, they can use either an email address or a phone number to open an account. After doing so, they receive a login code sent to one of these.
On scam websites, dark web marketplaces and social media, several people seem to be selling login details associated with Cash App accounts. Some of these people’s entries specify that the logs contain the email address and password of a linked email account. Some of the listings may be scams, but those on the dark web markets come from scammers who have received positive feedback from purported customers, according to the rating system common to such sites. A listing for hacked Cash App accounts said the vendor has sold the specific item multiple times.
“Our Cashapp accounts are of the highest quality and we offer them at the most competitive rates on the market today,” a listing said. “Full Information Presented Recently Compromised.” The listing says buyers get the hacked login information, the victim’s cookie file and information like what IP address the victim used. This type of information can be useful for fraudsters to trick websites or apps into letting them sign in as a user.
The listing claimed that the hacked Cash App accounts may contain between $1,000 and $5,000 in available balance. It is common for members of the fraud ecosystem to fill different roles. Some focus on obtaining hacked accounts and then selling them, while others work to effectively cash them out.
On its website, Cash App encourages users to ensure that the associated email address has two-factor authentication enabled. The app has too an additional function called safety lock which means that each transfer requires the user to enter a PIN code.
“Preventing fraud is critically important to Cash App. We continue to invest in and strengthen anti-fraud resources by both increasing staffing and adopting new technology. We are constantly improving systems and controls to prevent, detect and report bad activity on the platform,” a Cash App spokesperson told Motherboard in a statement. “For those who believe they have been the victim of identity theft or account takeover fraud, we encourage them to contact Cash App Support where we will assess the relevant account. If it is deemed fraudulent, we will take the necessary measures starting with account closure and deactivation of all applicable products.”
Scammers also appear to offer Cash App accounts for another purpose: money laundering. Motherboard found several listings on a dark web market offering these newly created and verified accounts. Cash App requires users to verify their identity in order to use certain features, and this may require them to provide their social security number with the platform. These already verified accounts will allow fraudsters to purchase Bitcoin through the Cash app without having to verify their identity, the listing suggests.
Subscribe to our cyber security podcast, CYBER. Subscribe to our new Twitch channel.